Failed Facebook Login Attempts Reveal Private Information
Facebook does not seem to come to rest these days when it comes to privacy. A new bug was discovered on Wednesday by researcher Atul Agarwal, which allowed anyone to match an email address to a Facebook user's name and profile picture.
Facebook has designed the login process to provide additional information to the user if the email and password combination used to log in do not match.
Instead of just displaying a warning that the log in information were not correct, Facebook went one step further and displayed "Login As" information on the page. This included the user's profile photo and full name regardless of that user's privacy settings on Facebook.
Atul described the problem in detail on Seclists:
Sometime back, I noticed a strange problem with Facebook, I had accidentally entered wrong password in Facebook, and it showed my first and last name with profile picture, along with the password incorrect message. I thought that the fact that it was showing the name had something to do with cookies stored, so I tried other email id's, and it was the same. I wondered over the possibilities, and wrote a POC tool to test it.
This script extracts the First and Last Name (provided by the users when they sign up for Facebook). Facebook is kind enough to return the name even if the supplied email/password combination is wrong. Further more,it also
gives out the profile picture (this script does not harvest it, but its easy to add that too). Facebook users have no control over this, as this works even when you have set all privacy settings properly. Harvesting this data is very easy, as it can be easily bypassed by using a bunch of proxies.
The issue has been fixed in record time by Facebook. It does however mean that
the privacy issue was exploitable by everyone, including users without a Facebook account, until the fix had been applied.
In plain English, anyone who discovered the issue was able to link email addresses to real names and profile photos on Facebook, even without an account.
Dedicated attackers may have used automation to extract the information in bulk from Facebook.
The proof of concept code that Atul wrote showed that malicious users could have exploited the issue to create a huge database of linked email addresses and full names, which could be disastrous if used in phishing campaigns or other malicious uses.Advertisement